On Thu, Jan 18, 2018 at 11:29:19AM +0100, Félix Sipma wrote: > Jan 18 11:09:25 laptop audit[21088]: AVC apparmor="ALLOWED" > operation="open" profile="libreoffice-oopslash" > name="/sys/devices/virtual/block/dm-0/queue/rotational" pid=21088 > comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
15:07 < _rene_> Jan 18 11:09:25 laptop audit[21088]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/sys/devices/virtual/block/dm-0/queue/rotational" pid=21088 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [...] 15:09 <@jmux> _rene_: desktop/unx/source/pagein.c:61: sprintf(fullpath,"/sys/dev/block/%d:%d/queue/rotational",major,minor); 15:09 < _rene_> shrugs. 15:10 <@jmux> I stumbled about this code a while ago and quickly wiped my memory of it 15:11 < mst_> jmux: it probably calls SfxBaseModel::close 15:11 < _rene_> ok, shouldn't do bad things at least when this is disallowed > Jan 18 11:09:25 laptop audit[21105]: AVC apparmor="ALLOWED" > operation="open" profile="libreoffice-soffice" > name="/home/gueux/.config/X11/XCompose" pid=21105 comm="soffice.bin" > requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 > Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" > operation="open" profile="libreoffice-soffice" > name="/home/gueux/.mozilla/firefox/profiles.ini" pid=21105 comm="soffice.bin" > requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 > Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" > operation="open" profile="libreoffice-soffice" > name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/secmod.db" > pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 > ouid=1000 > Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" > operation="open" profile="libreoffice-soffice" > name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/cert8.db" > pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 > ouid=1000 > Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" > operation="open" profile="libreoffice-soffice" > name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/key3.db" > pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 > ouid=1000 Leaves (assuming the simple adding of gpg and gpgsm suffices) just this one. https://github.com/mk-fg/apparmor-profiles/blob/master/profiles/usr.bin.firefox has owner @{HOME}/.mozilla/firefox/** rwk, in the profile... Thinking about it, we probably also would need owner "@{HOME}/.gnupg/* rwk," then for gpg. This gets interesting... Regards, Rene